|Posted by Mark Cantrell on October 31, 2017 at 7:40 AM|
Cyber crooks know where you live…
The Internet of Things is bringing the digital revolution home thanks to an array of ‘smart’ creature comforts that are changing the way we live, but if we can’t crack an emerging security gap we’ll be wide open to gatecrashing cyber-crooks
By Mark Cantrell
THE digital revolution has opened up a whole new realm of ‘smart’ home comforts, courtesy of the Internet of Things (IoT), but its promise of enhanced convenience for households comes with a pretty significant caveat – it potentially opens the door to those with a criminal intent.
Not literally, of course. Well, not necessarily. But the technology can be subverted and turned against us by those with the know-how to exploit any vulnerability in the system. Gaps in security, courtesy of ill-thought design, poor implementation, or simply a result of complexity as tangled inter-connections grow, could leave us with the digital equivalent of a window left wide open.
That’s quite a headache for those tasked with designing and implementing IoT gadgets and devices. The same might be said for those concerned with law enforcement and public protection. Marketers can’t sidle away from the issue either; security is a big concern – it all boils down to trust. If consumers can’t be persuaded they can trust the technology, then an emergent market potentially withers on the digital vine.
That said, with 20 billion devices expected to be connected to the internet by 2020, the IoT is unlikely to experience an untimely demise – but it certainly means the stakes are high.
“Cyber-criminals are quick to adapt and exploit new technologies. They come up with new ways to victimise and affect people's lives and invade their privacy, either by collecting or manipulating personal data or by virtually breaking into their smart homes,” said Rob Wainwright, executive director of Europol.
“The Internet of Things is not only here to stay but expected to significantly expand as more and more households, cities and industries become connected. Insecure IoT devices are increasingly becoming tools for conducting cyber criminality. We need to act now and work together to solve the security challenges that come with the IoT and to ensure the full potential.”
Europol, along with the EU Agency for Network & Information Security (ENISA), hosted a conference earlier this month to look at the issues surrounding cyber-security in the age of IoT. The event pulled together over 250 people from across the private sector, the security industry, law enforcement, academia, and European Computer Security Incident Response Teams (CSIRT), to discuss this knotty thread of criminality we could be weaving into our tech.
The IoT is a “wide and diverse ecosystem”, Europol pointed out in its news release about the event. It consists of a tangled web of interconnected devices and services, which “collect, exchange and process data in order to adapt dynamically to a context”.
“In simpler terms,” the release continued, “it makes our cameras, televisions, washing machines and heating systems ‘smart’ and creates new opportunities for the way we work, interact and communicate, and how the devices react and adapt to us. It is important to understand how these connected devices need to be secured and to develop and implement adequate security measures to protect the Internet of Things from cyber threats.”
Such systems get to know us rather well, you might say; convenient for the household, an alluring prospect for the kingpins of cybercrime.
“The IoT revolution is beginning to transform our personal lives and the infrastructures that we use on a regular basis such as smart homes, smart energy and smart health,” said Professor Dr Udo Helmbrecht, executive director of ENISA. “Manufacturers and operators of these devices need to ensure that security by design has been incorporated into their selection and their deployment.”
If networked devices are the roots of the problem, the same might be said of the solution, if the conference conclusions are anything to go by: not so much in terms of technology per se, but good old-fashioned teamwork by the human elements of the machine. Cooperation is a key part of security and safety, the conference concluded, especially as emergent developments such as industry 4.0, autonomous vehicles and the advent of 5G come to the fore.
Other considerations include:
- Securing end devices is often technically difficult and expensive to achieve, so the focus must be on securing the architecture and the underlying infrastructure, creating security and trust across different networks and domains
- Stronger incentives to address the security issues around IoT must be created. This requires an “optimal balance” between opportunity and risk in the market. Security needs to be positioned as a distinctive commercial advantage
- To effectively and efficiently investigate the criminal abuse of IoT, deterrence will need strong cooperation between law enforcement and the CSIRT community, as well as the wider security industry and the judiciary
- This means that law enforcement agencies will need to develop the requisite technical skills and expertise to fight IoT-related cyber-crime successfully
- More needs to be done to raise awareness of the security risks to IoT devices among end-users, be they consumers of businesses
IoT isn’t just a domestic issue, of course. In a way, it marks something of a convergence of home and business, as devices in the home connect and communicate in realtime with service providers. Increasingly, it means that the security of our home becomes as dependent on the strength of third party businesses, as it does on our own efforts to safeguard our private space. The question is how vulnerable are these providers to malign intervention?
Earlier this year, California-based tech firm Cisco warned businesses they needed to “improve their security posture” in the face of the ever-increasing convergence of IT and operational technology that means more and more aspects of a business’s activities are accessible online.
“The Internet of Things continues to offer new opportunities for cyber-criminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact,” the company said. “Recent IoT botnet activity already suggests that some attackers may be laying the foundations for a wide-reaching, high-impact cyber-threat that could potentially disrupt the internet itself.” Heavy stuff.
Cisco gave this warning when it released its 2017 Midyear Cyber-Security Report back in July, which presents data-driven industry insights and cyber-security trends for the first half of the year. Among its findings, the report suggests that organisations are struggling with “visibility and complexity” as the IoT hastens the merger of IT and operational technology. As a result, it suggests, the volume of attacks is coming to increasingly overwhelm security teams.
“Complexity continues to hinder many security organisations' security efforts,” said David Ulevitch, senior vice president and general manager of Cisco's Security Business Group. “It's obvious that the years investing in point products that can't integrate is creating huge opportunities for attackers who can easily identify overlooked vulnerabilities or gaps in security efforts. To effectively reduce time to detection and limit the impact of an attack, the industry must move to a more integrated, architectural approach that increases visibility and manageability, empowering security teams to close gaps.”
Steve Martino, vice president and chief information security officer at Cisco, added: “As recent incidents like WannaCry and Nyetya illustrate, our adversaries are becoming more and more creative in how they architect their attacks. While the majority of organisations took steps to improve security following a breach, businesses across industries are in a constant race against the attackers. Security effectiveness starts with closing the obvious gaps and making security a business priority.”
Meanwhile, sat at ease in our living rooms, we make the most of our ‘smart’ creature comforts, blissfully unaware that – perhaps – hearth and home is no longer quite the safe space it once was. Smart technology is all very well, but given it can be so readily turned against us – we’re the ones who need to wise up.
Play safe: don’t let the web-bugs bite…
Image courtesy of Pixabay